Talos has added and modified multiple rules in the app-detect, file-pdf, malware-cnc and os-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules) * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
* 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules) * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules) * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules) * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules) * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules) * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules) * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules) * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules) * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules) * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules) * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules) * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules) * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules) * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules) * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules) * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules) * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules) * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules) * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules) * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules) * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules) * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules) * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules) * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules) * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules) * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules) * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules) * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules) * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules) * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules) * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules) * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules) * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules) * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules) * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules) * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules) * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules) * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules) * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules) * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules) * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules) * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules) * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules) * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules) * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules) * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules) * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules) * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules) * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules) * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules) * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules) * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules) * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules) * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules) * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules) * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules) * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules) * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules) * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules) * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules) * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules) * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules) * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules) * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules) * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules) * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules) * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules) * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules) * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules) * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules) * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules) * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules) * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules) * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules) * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules) * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules) * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules) * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules) * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules) * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules) * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091900.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules) * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
* 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules) * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules) * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules) * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules) * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules) * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules) * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules) * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules) * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules) * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules) * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules) * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules) * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules) * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules) * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules) * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules) * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules) * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules) * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules) * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules) * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules) * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules) * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules) * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules) * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules) * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules) * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules) * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules) * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules) * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules) * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules) * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules) * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules) * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules) * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules) * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules) * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules) * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules) * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules) * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules) * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules) * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules) * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules) * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules) * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules) * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules) * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules) * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules) * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules) * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules) * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules) * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules) * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules) * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules) * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules) * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules) * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules) * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules) * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules) * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules) * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules) * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules) * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules) * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules) * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules) * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules) * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules) * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules) * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules) * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules) * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules) * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules) * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules) * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules) * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules) * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules) * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules) * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules) * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules) * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules) * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091801.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules) * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
* 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules) * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules) * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules) * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules) * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules) * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules) * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules) * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules) * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules) * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules) * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules) * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules) * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules) * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules) * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules) * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules) * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules) * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules) * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules) * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules) * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules) * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules) * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules) * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules) * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules) * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules) * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules) * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules) * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules) * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules) * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules) * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules) * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules) * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules) * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules) * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules) * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules) * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules) * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules) * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules) * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules) * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules) * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules) * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules) * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules) * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules) * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules) * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules) * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules) * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules) * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules) * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules) * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules) * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules) * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules) * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules) * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules) * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules) * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules) * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules) * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules) * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules) * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules) * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules) * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules) * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules) * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules) * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules) * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules) * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules) * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules) * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules) * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules) * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules) * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules) * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules) * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules) * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules) * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules) * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules) * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules) * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules) * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
* 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules) * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules) * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules) * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules) * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules) * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules) * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules) * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules) * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules) * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules) * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules) * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules) * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules) * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules) * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules) * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules) * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules) * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules) * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules) * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules) * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules) * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules) * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules) * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules) * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules) * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules) * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules) * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules) * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules) * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules) * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules) * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules) * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules) * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules) * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules) * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules) * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules) * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules) * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules) * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules) * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules) * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules) * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules) * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules) * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules) * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules) * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules) * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules) * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules) * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules) * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules) * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules) * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules) * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules) * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules) * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules) * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules) * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules) * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules) * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules) * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules) * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules) * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules) * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules) * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules) * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules) * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules) * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules) * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules) * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules) * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules) * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules) * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules) * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules) * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules) * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules) * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules) * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules) * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091700.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules) * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
* 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules) * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules) * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules) * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules) * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules) * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules) * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules) * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules) * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules) * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules) * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules) * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules) * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules) * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules) * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules) * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules) * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules) * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules) * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules) * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules) * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules) * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules) * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules) * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules) * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules) * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules) * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules) * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules) * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules) * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules) * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules) * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules) * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules) * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules) * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules) * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules) * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules) * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules) * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules) * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules) * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules) * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules) * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules) * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules) * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules) * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules) * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules) * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules) * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules) * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules) * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules) * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules) * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules) * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules) * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules) * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules) * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules) * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules) * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules) * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules) * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules) * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules) * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules) * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules) * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules) * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules) * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules) * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules) * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules) * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules) * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules) * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules) * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules) * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules) * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules) * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules) * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules) * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules) * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
* 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules) * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules) * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules) * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules) * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules) * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules) * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules) * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules) * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules) * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules) * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules) * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules) * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules) * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules) * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules) * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules) * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules) * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules) * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules) * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules) * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules) * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules) * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules) * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules) * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules) * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules) * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules) * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules) * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules) * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules) * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules) * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules) * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules) * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules) * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules) * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules) * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules) * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules) * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules) * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules) * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules) * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules) * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules) * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules) * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules) * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules) * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules) * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules) * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules) * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules) * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules) * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules) * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules) * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules) * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules) * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules) * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules) * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules) * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules) * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules) * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules) * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules) * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules) * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules) * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules) * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules) * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules) * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules) * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules) * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules) * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules) * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules) * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules) * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules) * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules) * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules) * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules) * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules) * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules) * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules) * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
* 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules) * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules) * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules) * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules) * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules) * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules) * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules) * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules) * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules) * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules) * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules) * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules) * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules) * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules) * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules) * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules) * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules) * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules) * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules) * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules) * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules) * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules) * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules) * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules) * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules) * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules) * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules) * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules) * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules) * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules) * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules) * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules) * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules) * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules) * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules) * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules) * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules) * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules) * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules) * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules) * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules) * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules) * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules) * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules) * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules) * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules) * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules) * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules) * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules) * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules) * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules) * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules) * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules) * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules) * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules) * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules) * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules) * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules) * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules) * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules) * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules) * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules) * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules) * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules) * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules) * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules) * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules) * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules) * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules) * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules) * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules) * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules) * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules) * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules) * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules) * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules) * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules) * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules) * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules) * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
* 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules) * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules) * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules) * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules) * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules) * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules) * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules) * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules) * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules) * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules) * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules) * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules) * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules) * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules) * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules) * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules) * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules) * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules) * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules) * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules) * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules) * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules) * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules) * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules) * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules) * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules) * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules) * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules) * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules) * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules) * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules) * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules) * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules) * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules) * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules) * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules) * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules) * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules) * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules) * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules) * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules) * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules) * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules) * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules) * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules) * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules) * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules) * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules) * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules) * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules) * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules) * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules) * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules) * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules) * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules) * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules) * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules) * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules) * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules) * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules) * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules) * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules) * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules) * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules) * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules) * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules) * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules) * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules) * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules) * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules) * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules) * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules) * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules) * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules) * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules) * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules) * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules) * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules) * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules) * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
* 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules) * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules) * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules) * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules) * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules) * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules) * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules) * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules) * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules) * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules) * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules) * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules) * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules) * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules) * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules) * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules) * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules) * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules) * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules) * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules) * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules) * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules) * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules) * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules) * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules) * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules) * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules) * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules) * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules) * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules) * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules) * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules) * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules) * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules) * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules) * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules) * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules) * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules) * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules) * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules) * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules) * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules) * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules) * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules) * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules) * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules) * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules) * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules) * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules) * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules) * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules) * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules) * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules) * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules) * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules) * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules) * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules) * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules) * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules) * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules) * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules) * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules) * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules) * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules) * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules) * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules) * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules) * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules) * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules) * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules) * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules) * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules) * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules) * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules) * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules) * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules) * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
* 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules) * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules) * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules) * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules) * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules) * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules) * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules) * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules) * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules) * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules) * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules) * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules) * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules) * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules) * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules) * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules) * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules) * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules) * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules) * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules) * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules) * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules) * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules) * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules) * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules) * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules) * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules) * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules) * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules) * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules) * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules) * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules) * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules) * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules) * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules) * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules) * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules) * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules) * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules) * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules) * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules) * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules) * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules) * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules) * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules) * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules) * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules) * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules) * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules) * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules) * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules) * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules) * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules) * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules) * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules) * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules) * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules) * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules) * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules) * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules) * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules) * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules) * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules) * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules) * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules) * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules) * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules) * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules) * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules) * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules) * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules) * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules) * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules) * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules) * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules) * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules) * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules) * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules) * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules) * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules) * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules) * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
* 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules) * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules) * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules) * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules) * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules) * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules) * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules) * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules) * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules) * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules) * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules) * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules) * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules) * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules) * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules) * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules) * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules) * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules) * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules) * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules) * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules) * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules) * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules) * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules) * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules) * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules) * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules) * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules) * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules) * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules) * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules) * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules) * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules) * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules) * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules) * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules) * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules) * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules) * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules) * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules) * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules) * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules) * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules) * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules) * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules) * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules) * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules) * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules) * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules) * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules) * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules) * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules) * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules) * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules) * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules) * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules) * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules) * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules) * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules) * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules) * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules) * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules) * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules) * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules) * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules) * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules) * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules) * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules) * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules) * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules) * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules) * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules) * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules) * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules) * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules) * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules) * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules) * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.0.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.1.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.4.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.1.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.1.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.3.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.4.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.5.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.7.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.9.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.2.0.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.11.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.15.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.18.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.20.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.21.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.35.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.44.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.
The format of the file is:
gid:sid <-> Message
* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt * 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download * 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download * 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt * 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt * 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt * 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 1:13360 <-> APP-DETECT FTP 530 Login failed response * 1:13586 <-> APP-DETECT SSH server detected on non-standard port * 1:13898 <-> APP-DETECT Apple iTunes client request for server info * 1:13899 <-> APP-DETECT Apple iTunes client login attempt * 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response * 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello * 1:16680 <-> APP-DETECT Tandberg VCS SSH default key * 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt * 1:18608 <-> APP-DETECT Dropbox desktop software in use * 1:18609 <-> APP-DETECT Dropbox desktop software in use * 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage * 1:21171 <-> APP-DETECT Thunder p2p application activity detection * 1:21172 <-> APP-DETECT Thunder p2p application activity detection * 1:21332 <-> APP-DETECT Synergy network kvm usage detected * 1:21853 <-> APP-DETECT ptunnel icmp proxy * 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested * 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt * 1:24094 <-> APP-DETECT Teamviewer control server ping * 1:24095 <-> APP-DETECT Teamviewer installer download attempt * 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt * 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt * 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt * 1:25083 <-> APP-DETECT Apple Messages service server request attempt * 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt * 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt * 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt * 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt * 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt * 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt * 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt * 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt * 1:25947 <-> APP-DETECT Ammyy remote access tool * 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload * 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK * 1:27536 <-> APP-DETECT TCP over DNS response attempt * 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt * 1:27669 <-> APP-DETECT Heyoka outbound communication attempt * 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt * 1:27922 <-> APP-DETECT Splashtop outbound connection attempt * 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt * 1:27924 <-> APP-DETECT Splashtop Streamer download attempt * 1:27925 <-> APP-DETECT Splashtop Personal download attempt * 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt * 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt * 1:27928 <-> APP-DETECT Splashtop connection attempt * 1:27929 <-> APP-DETECT Splashtop communication attempt * 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com * 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net * 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com * 1:27933 <-> APP-DETECT Splashtop streamer download attempt * 1:27934 <-> APP-DETECT Splashtop personal download attempt * 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication * 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn * 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com * 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt * 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt * 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response * 1:29320 <-> APP-DETECT Baidu IME download attempt * 1:29321 <-> APP-DETECT Baidu IME download attempt * 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync * 1:29354 <-> APP-DETECT Foca file scanning attempt * 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt * 1:29382 <-> APP-DETECT VPN Over DNS application download attempt * 1:29383 <-> APP-DETECT VPN Over DNS application download attempt * 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt * 1:30253 <-> APP-DETECT Anyplace proxy header detected * 1:30254 <-> APP-DETECT Anyplace usage attempt * 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org * 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com * 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net * 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com * 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com * 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org * 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com * 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com * 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net * 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net * 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org * 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org * 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com * 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org * 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info * 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com * 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com * 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net * 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info * 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org * 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org * 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org * 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net * 1:31532 <-> APP-DETECT Xolominer outbound connection attempt * 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt * 1:32865 <-> APP-DETECT I2P DNS request attempt * 1:32866 <-> APP-DETECT I2P UPNP query attempt * 1:33430 <-> APP-DETECT I2P traffic transmission attempt * 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt * 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt * 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt * 1:37062 <-> APP-DETECT 12P DNS request attempt * 1:37298 <-> APP-DETECT Hola VPN installation attempt * 1:37299 <-> APP-DETECT Hola VPN installation attempt * 1:37300 <-> APP-DETECT Hola VPN startup attempt * 1:37301 <-> APP-DETECT Hola VPN startup attempt * 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt * 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt * 1:37304 <-> APP-DETECT Hola VPN non-http port ping * 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive * 1:37306 <-> APP-DETECT Hola VPN startup attempt * 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt * 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection * 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt * 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected * 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected * 1:50870 <-> APP-DETECT Quagga password challenge detected